Experian U.S. Data Breaches Prompt Investigation by Irish Regulators
Executive Summary
Experian Plc., a global information services group, is being investigated by Irish regulators in the wake of a series of breaches of the company’s databases. The Office of the Data Protection Commissioner, which enforces privacy laws in Ireland, has opened a preliminary inquiry into the security practices of Dublin-based Experian. According to the article, the agency’s deputy commissioner, Gary Davis, said the inquiry was prompted by recent reports about how Experian’s database was breached at least 80 times, leading to the theft of almost 15,500 credit reports since 2006. The Office of the Data Protection wants to know if the network security breaches have affected Irish consumers or businesses. Regulators have also requested information on what steps the company is taking to prevent unauthorized access to its databases. The majority of the breaches happened when hackers break into the computer networks of Experian customers, such as banks, and stealing their passwords to access credit reports online. Regulators will also look into whether Experian can be held liable for failing to detect and prevent the fraud.
On a side note, the United States Congress, in both houses, are investigating Experian Plc., along with Equifax Inc. and TransUnion Corp., over how much data they collect, how the data is used, and is the data secure. The credit reports contain valuable information, such as Social Security numbers, birth dates and detailed credit histories, that identity thieves can use to commit fraud. U.S. Congressional Probes are determining if Experian Plc. data protections in place were adequate and if the company can be held responsible for data breach.
Analysis
Keeping data secure is very important, especially with consumer personal credit histories because it has identifiable information such as social security numbers, name, address, credit card information. The Bloomberg's article by Jordan Robertson tallied 86 data breaches since 2006 where hackers went after that affiliated businesses, such as banks, auto dealers and even a police department, that rely on Experian for background credit checks. This demonstrates how attackers have found a flaw in Experian’s data access by exploiting affiliates security weakness instead of directly targeting the credit-reporting agency.
In one example, Abilene Telco Federal Credit Union, a small bank in west-central Texas, had its online password to Experian stolen last year and 847 credit reports were stolen, including those from people who had never done business with the bank. Experian should have been alerted to fraud because the abnormally high number of credit reports drawn in a day and the attack happen on a day when the bank was closed. Detection software could be use to mitigate this problem by restricting access outside certain hours of the affiliates normal operating hours and track usage, where addition authorization would be required for the high amount of transactions beyond normal usage.
Experian also needs to work with their credit affiliates to strengthen their password policies. The policies should include regularly test the strength of passwords, not using the same password at multiple sites, having short password duration policies, not allowing shared password and disabling passwords that are no longer valid. Accounts should be locked down if access authentication fails more than twice. Users should call in to verify their identity to unlock an account or to reset their password. These measures will minimize the security breaches to the credit report databases.
Executive Summary
Experian Plc., a global information services group, is being investigated by Irish regulators in the wake of a series of breaches of the company’s databases. The Office of the Data Protection Commissioner, which enforces privacy laws in Ireland, has opened a preliminary inquiry into the security practices of Dublin-based Experian. According to the article, the agency’s deputy commissioner, Gary Davis, said the inquiry was prompted by recent reports about how Experian’s database was breached at least 80 times, leading to the theft of almost 15,500 credit reports since 2006. The Office of the Data Protection wants to know if the network security breaches have affected Irish consumers or businesses. Regulators have also requested information on what steps the company is taking to prevent unauthorized access to its databases. The majority of the breaches happened when hackers break into the computer networks of Experian customers, such as banks, and stealing their passwords to access credit reports online. Regulators will also look into whether Experian can be held liable for failing to detect and prevent the fraud.
On a side note, the United States Congress, in both houses, are investigating Experian Plc., along with Equifax Inc. and TransUnion Corp., over how much data they collect, how the data is used, and is the data secure. The credit reports contain valuable information, such as Social Security numbers, birth dates and detailed credit histories, that identity thieves can use to commit fraud. U.S. Congressional Probes are determining if Experian Plc. data protections in place were adequate and if the company can be held responsible for data breach.
Analysis
Keeping data secure is very important, especially with consumer personal credit histories because it has identifiable information such as social security numbers, name, address, credit card information. The Bloomberg's article by Jordan Robertson tallied 86 data breaches since 2006 where hackers went after that affiliated businesses, such as banks, auto dealers and even a police department, that rely on Experian for background credit checks. This demonstrates how attackers have found a flaw in Experian’s data access by exploiting affiliates security weakness instead of directly targeting the credit-reporting agency.
In one example, Abilene Telco Federal Credit Union, a small bank in west-central Texas, had its online password to Experian stolen last year and 847 credit reports were stolen, including those from people who had never done business with the bank. Experian should have been alerted to fraud because the abnormally high number of credit reports drawn in a day and the attack happen on a day when the bank was closed. Detection software could be use to mitigate this problem by restricting access outside certain hours of the affiliates normal operating hours and track usage, where addition authorization would be required for the high amount of transactions beyond normal usage.
Experian also needs to work with their credit affiliates to strengthen their password policies. The policies should include regularly test the strength of passwords, not using the same password at multiple sites, having short password duration policies, not allowing shared password and disabling passwords that are no longer valid. Accounts should be locked down if access authentication fails more than twice. Users should call in to verify their identity to unlock an account or to reset their password. These measures will minimize the security breaches to the credit report databases.